Beyond Intrusion Detection - Prevention & Protection

transcript

Problem Domain

• Viruses, Worms, Trojans, and Bad Code…• Hybrid Threats designed to improve chances for

propagation– MS_Blaster– NIMDA– CodeRed– SQL Slammer

• Hackers, Script Kiddies, Malicious Insiders• Theft of Intellectual Property, Confidentiality, and

associated Legal Liability– HIPAA, Sarbanes/Oxley, California Senate Bill no.1386, Buckley

Amendment

State of Security Today

Firewalls and anti-virus were not capable of stopping any of the last 5 major

Internet attacks

Add MS Blaster!

Example - HTTP-based Attack

Remote User = Unsecured

• Outside firewall– Connections are not monitored

• Visit unsuitable websites• Download unsuitable software

• Broadband– Faster connections encourage ‘other uses’

• Peer to peer software• Instant Messenger tools

• Software vulnerabilities– Targeted by hybrid worms

Accidental Internal Attack

INTRUDER

Company Confidential

Problem: Firewalls are Not Enough

• Firewalls can’t block malicious traffic• Many ports must be kept open for healthy

applications to run• Users unwittingly download dangerous applications

or other forms of malicious code• “Always on” connection = Always vulnerable• Peer-to-peer and instant messaging have

introduced new infection vectors

Problem: AV is Not Enough

• AV signature scanning is a reactive model• Several must suffer infection before samples can

be obtained, signatures developed, updates released, and protection deployed to your vulnerable endpoints

• MS_Blaster recently spread quickly and undetected, wreaking havoc throughout the world

Problem: Network IPS is not enough

• Although Network IPS has its place, many threats originate at the Desktop

• To protect at the Source, Host based Intrusion Detection and Prevention is necessary

• Detecting only at the Network may be too late

Multi-layered Compromise

INTRUDER

You have Mail !

Company Confidential

“All I Have To Do Is Patch My Systems”

“It takes 30-60 days to install a single patch at every one of our 110 bases”

- US Air Force

“It is a never-ending cycle, trying to keep up with this stuff”

- Toyota

Source: Forbes, May 26, 2003

Vulnerability and Threat Time-Line

VulnerabilityDisclosure

ExploitDisclosure

No Patch.

Security Patch available.

Typically, apply patch to perimeter network

Apply patches everywhere after business is disrupted

Exploit Signature Based Time-Line

ExploitDisclosure

No exploitpatterns

No exploit patterns

Reactive. Add exploitpattern and variants.

Reactive. Add worm exploit pattern. Similar to anti-virus,

add new variants

Virtual Patch Based Time line

ExploitDisclosure

ProtocolValidation.

Virtual Patch

Proactive. Protected.

Case Study

Microsoft SQL Server Resolution Protocol Stack-based Overflow

(MS SQL Slammer Worm)

What was the bug?

• Vulnerability– Microsoft SQL Server 2000 and MSDE– Buffer-overflow in “SQL Server Resolution”

• Vuln = ssrp.name.length > 97

– Disclosed July, 2002

• Exploit– Several noted well before January 25th– Worm on January 25, 2003

What do sigs look like?

• All sigs– UDP port 1434– First byte equal to 4

• Pattern-match sigs– Slammer pattern

• Protocol-analysis sigs– Check length of field for overflow

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( \msg:"MS-SQL Worm propagation attempt";content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311;reference:url,vil.nai.com/vil/content/v_99992.htm;sid:2003; rev:2;)

Vulnerability Signature

SQL_SSRP_StackBo is (udp.dst == 1434ssrp.type == 4 ssrp.name.length > ssrp.threshold)

where ssrp.type is first-byte of packetwhere ssrp.name is nul-terminated string starting at secondwhere ssrp.threshold defaults to 97

SQL_SSRP_SlammerWorm is (SQL_SSRP_StackBopattern-search[offset=97] = DCC9B042EB0E010101010101

Security Technology Evolution

IntegratedApplication

Layered Technologies

PFW IDS/IPS IBEAppCtrlBuffOP

Port 80

Port 135

Port 445

Port 1025

Port xyz

Network Based Attack Vector File Based Attack Vector

Behavioral

Execution SpacePre-Execution Pre-Execution

Reactive

Buffer Overflow

Local Variables Return Address

Void funcA(char *b) { char buf[10]; strcpy(buf,s); printf(“buffer is %s\n”,s); }

funcA(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”);…

Buffer Overflow

Local Variables Return Address

Attacker then jumps to new user-controlled return address

x90\x90\x90\x90\x90\x90\xeb

\xff\x81\x36\x80\xbf\x32\x94

\x05\xe8\xe2\xff\xff\xff\x03\

Arbitrary code can then be executed by the attacker. This code could directly or indirectly access system calls such as CreateProcess(….)

Overflow buffer with shellcode and overwrite original return address

File Based Attack Vector

Case: Network: MS Blaster: DayZERO

PFW IDS/IPS 0-dayAppCtrlBuffOP

Port 80

Port 135

Port 445

Port 1025

Port xyz

Behavioral

Reactive

Network Based Attack Vector

File Based Attack Vector

Case: Network: MS Blaster: DayZERO

PFW IDS/IPS IBEAppCtrlBuffOP

Port 80

Port 135

Port 445

Port 1025

Port xyz

Behavioral

Reactive

RPCRPC

Network Based Attack Vector RPC Service has been DOS’dMust Reboot

What’s the difference?

• Protecting against exploits is reactive– Too late for many– Variants undo previous

updates– Typical of AV and most

IDS/IPS vendors

• Protecting against vulnerabilities is proactive– Stops threat at source– Requires advanced R&D

Thanks! Questions?

Beyond Intrusion Detection - Prevention & Protection

Documents